Encryption Key Management (EKM) describes the processes and technologies used in the storage, protection and cataloguing of encryption keys, related cryptographic objects the metadata associated with these keys and objects.
Why do we need Encryption Key Management?
The building blocks used in the process of encrypting data are an encryption key (generally a long sequence of characters), an encryption algorithm and some plaintext (unencrypted) data. While each building block is critical to the encryption process, in this article I will be focusing on management of the encryption keys.
To decrypt any encrypted data (ciphertext), the same key that was used to encrypt the data, needs to be applied to the decryption process. In most instances each piece of encrypted data, whether a file; database table or cell; tape drive or hard drive, will have its own unique encryption key. When encryption is deployed across an enterprise, an accumulation of encryption keys will build up in the normal course of operations. This in turn, leads to a substantial number of encryption keys that need to be matched with their corresponding piece of encrypted data. As the need for managing encryption keys grew, vendors met this need by developing encryption key management server products or “Key Managers”.
What is effective encryption key management?
Whilst not an exhaustive list, any effective key management solution should incorporate the following design and operational principles:
- Separation of the encrypted data end the corresponding encryption keys;
- Availability of the keys to authorized systems & users;
- Protection of the keys from unauthorized systems & users; and
- Management of the key lifecycle and associated metadata.
- Interoperable with the encryption systems it serves
Separation – A core approach that many security compliance frameworks follow, is to mandate that data encryption keys are stored and managed separately from the data they protect.
Availability -data encryption keys MUST ALWAYS be available to the systems reliant on them for data encryption/decryption operations. As most data at rest encryption systems perform these operations transparently to the user (usually within the data path to/from the storage media), if a key is not available, the process halts and the system/user is left waiting – an unacceptable outcome in almost all scenarios).
Protection – Given the point of encrypting data is to protect it from unauthorized use, protection of the encryption keys is equally important. A good key management system ensures that only authorized systems and users have access to the data encryption keys. In this way, even if the storage systems/media are compromised, it provides little value without the keys (I’ll leave quantum computer-based attacks for another article).
Management – As data is viewed as an enterprise’s greatest asset, the management of the keys protecting that data must be valued similarly. This is the larger task and the item that consumes much of the development effort when developing an encryption key management system. It encompasses managing the lifecycle of each key from creation through to usage and decommissioning or “cradle to grave” as well as sufficient metadata such that meaningful management activities can be performed. Some examples of this metadata include dates for transitions through each stage in a key’s lifecycle, any particular identifiers used to reference the key, the key/algorithm time length and variant.
Interoperability – For a data encryption to be deployed effectively, it must offer the ability for a user or system using an encryption key to securely interact with the EKM system to store obtain or store such a key (or information/metadata associated with it). For this, you need standardized method of communication in order to avoid single-vendor (homogeneous) deployments – a near-universal requirement for most large enterprises. In my view, the answer here is the OASIS KMIP Specification as it is regularly updated, deployed across the vast majority of storage vendor solutions and quite extensive in its scope, running from wire protocol through to defining all the tools required to construct and deploy a key management solution. Of late the work on this standard has focused more on dealing with scale. Performance and automation of management tasks. I’ll focus more on this in future posts.
© 2023 TC Logic Pty Ltd